Managing policy rules

Use this task to manage the policy rules.

About this task

You can add policy rules either when you create a policy or when you edit a policy.

The rule assessment of a policy in Verify is based on the order of evaluation. The first rule that is successfully evaluated is the rule that is applied to the request. The order that the rules are listed is important to the outcome of the policy. You can sequence the rules to ensure that the policy and its rules can be assessed to meet specific business use cases. See 2.d.

Procedure

  1. Add a rule.
    1. From either Security > Access policies > Add policy or by editing an existing policy, navigate to the Add new rule button.
    2. Click Add new rule.
    3. Enter the rule name.
    4. Optional: Provide a description for the rule.
    5. Click Next.
    6. Select the condition type, attribute, operator, and value.
      When you select a condition category, the operations in the menu are filtered according to the selected condition type.
      Note: For native app policies first contact rules, the following condition types are available.
      • Location attributes
        • Network location (IP)
        • Country
        • City
      • OIDC/OAUTH context
        • client_type
      Table 1. Policy options
      Condition type Operation Condition values
      Adaptive access

      These attributes are available if Adaptive access is selected for the policy.
      New device
      • Is
      • Is not
      		 Detected.
      New geolocation
      • Is
      • Is not
      		 Detected.
      Risky device
      • Is
      • Is not
      		 Detected.
      Risky connection
      • Is
      • Is not
      		 Detected.
      Country
      • One of
      • None of
      		 Specify a condition value.
      City
      • One of
      • None of
      		 Specify a condition value.
      Internet service provider
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      Remote IP
      • One of
      • None of
      		 Specify a condition value.
      Behavioral anomaly
      • Is
      • Is not
      		 Detected.
      OIDC/OAUTH context
      acr_values
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      claims
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      client_type
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      code_challenge_exist
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      redirect_uir_scheme
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      request_type
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      response_method
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      response_mode
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      response_type
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      scope
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Specify a condition value.
      Custom attributes
      Any attributes that you added
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      • Attribute starts with
      • Attribute ends with
      • Attribute is present (no value)
      		 Specify a condition value.
      Device attributes
      New device
      • Is
      		 Detected.
      Device platform
      • One of
      • None of
      		 Select one or more platforms.
      Device compliance
      • One of
      • None of
      		 Select one or more compliance states.
      Location attributes

      These attributes are not available if Adaptive access is selected for the policy.
      Network location (IP)
      • One of
      • None of
      		 Provide an IP address or a comma-separated list of IP addresses, an IP range, or an IP address with subnet.
      Location history
      • Is
      • Is not
      		 Verified.
      Country
      • One of
      • None of
      		 Provide a country or a comma-separated list of three letter country codes based on the following ISO standard. See https://en.wikipedia.org/wiki/ISO_3166-1_alpha-3.
      City
      • One of
      • None of
      		 Specify a condition value.
      User attributes
      Group membership
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Provide a group or a comma-separated list of groups.
      Note: Comma-separated Active Directory group names must be wrapped in double quotation marks. For example, “cn=w3id-block-list,ou=memberlist,ou=ibmgroups,o=ibm.com”.
      realmName
      • Value or values must exist in attributes.
      • Value or values must not exist in attributes.
      • At least one value must exist in attributes.
      		 Provide the name of the realm.
    7. Optional: Click Add Condition to add more condition types and operations to the policy rule.
    8. Select the action for the policy from the menu.
      • Redirect to get additional context
      • Block (Override)
      • MFA (Override)
      • Allow (Override)
      • Block and redirect
      • Block
      • MFA always
      • MFA per session
      • Continue
      • Allow
      Note: For native app policies, only Block and Challenge actions are available. If you select Challenge, specify one or more authentication methods.
      • FIDO2
      • Password
      • QR code
    9. Click Save.
      The rule type is added to the list of policy rules.
  2. Edit or delete a rule.
    1. Click the Edit to open the policy that you want to change the rules for.
    2. In the Policy rules section, click the Edit for the rule you want to edit.
      You can change the rule name, add a condition, change existing condition op-codes or values, or change the action for the rule.
    3. Click Save.
    4. Optional: From the Policy rules section, you can use the overflow menu icon menu to sequence the order that the rules are evaluated.
      The evaluation occurs in descending order. The default rule is always last in the sequence.
    5. Optional: From the Policy rules section, you can use the overflow menu icon menu to delete a rule.
    6. Click Save.